UGA expecting more, stronger computer threats

Virus alert

Posted: Saturday, August 23, 2003

By Lee Shearerlee.shearer@onlineathens.com

Computer security experts at the University of Georgia and elsewhere spent much of Friday getting ready for a renewed attack from the Sobig.F computer virus, but by Friday evening the attack seemed to have fizzled.

Earlier Friday, when it was still uncertain how powerful the latest attack would be, workers at UGA took measures to stop a hidden feature of the virus, which exploits security flaws in recent Microsoft Windows e-mail programs. The virus bogged down e-mail and Internet traffic worldwide in the past week.

An international effort had apparently blunted the newest virus attack by Friday evening. But more and stronger attacks are likely, said Stan Gatewood, UGA's chief information security officer.

''I don't believe we've reached any high-water mark where we should panic,'' he said. ''I believe the worst is yet to come.''

Sobig is the latest of an escalating wave of computer viruses aimed at security holes in recent versions of Microsoft Windows software plaguing computer users worldwide over the past several weeks.

The new twist comes from instructions Sobig left behind, instructing infected machines running Microsoft Windows to try to download an unknown program from the Internet beginning as soon as Friday afternoon.

UGA programmers immediately blocked access to the little-used port used by the virus, but were also analyzing the code to identify the unknown Web site the virus would attempt to connect to from UGA computers, and what it would do when it connected, Gatewood said.

UGA servers were meanwhile being programmed to block any attempts to connect to that Web site, he said.

The code could be left behind even after the original virus was cleaned up with anti-virus software, he said.

There has been little consensus among computer security experts about the motive behind the attacks, but many, including UGA computer security expert Michael Covington, think national security is at issue in the attacks.

''These people are basically domestic terrorists,'' said Covington, assistant director of UGA's Artificial Intelligence Center. FBI investigators were looking at an Arizona Internet service provider as the possible source of the Sobig virus.

Covington argues for a shift in the way we think about hackers, spammers and their ilk. They ought to be considered criminals and prosecuted like criminals, according to Covington.

''We need to work on deterrence, not prevention,'' he said. ''I think that when there's large-scale sabotage of the Internet we ought to take it just as seriously as when someone runs an airliner into a building.''

Gatewood stops short of calling Sobig attacks a terrorist attack, but agrees that we should be thinking about terrorism in connection with hacker attacks.

''I'm not ready to declare this a concerted effort by people who are against us, but we do need to press software manufacturers only to release software after it has been tested and found to be secure,'' he said.

But even if this is not a terrorist attack, the potential is certainly there for future ones, Gatewood agreed. Future attacks could threaten things like hospitals and power plants, he said.

''What's taking place is that we are seeing these blended, hybrid threats,'' he said - attacks that combine features such as ''denial of service,'' which disrupts by generating large volumes of data transmission, with other features such as ''time bombs,'' or programs designed to kick in at a later date after they've been implanted.

''This can be used as an attack mechanism. It's not just a little tap on the windows. It's breaking in,'' Gatewood said.

Home computer owners' best defense is to make sure they have anti-virus software, and make sure to update it frequently, said Doug Koontz of Northeast Georgia Internet Access, an Athens-based Internet service provider.

Most update automatically once a week, but the home user can program them to update more frequently, he said.